DRONE_ENV_PLUGIN_TOKEN does not allow DRONE_ENV_PLUGIN_ENDPOINT verification via http signature

Env variables:

Server use HttpSignature ( http-signature - npm ) package to verify the authenticity and integrity for YAML and ENV endpoints :

async authenticate(req, h) {
      const parsedSignature = HttpSignature.parseRequest(req.raw.req);

      if (!HttpSignature.verifyHMAC(parsedSignature, 'super-duper-secret')) {
        return h.unauthenticated(Boom.unauthorized(`Missing or invalid CI secret`));

      return h.authenticated({
        credentials: {
          user: 'ci',
          scope: ['ci'],

Env endpoint (ENV_PLUGIN_ENDPOINT) returns status code 401.
Although for the Yaml endpoint (DRONE_YAML_ENDPOINT) everything works fine and it returns status code 200.

What’s the difference in checking a shared secret for DRONE_ENV_PLUGIN_ENDPOINT and DRONE_YAML_ENDPOINT?